request #9410 Tuleap Realtime server should enable HTTP Strict Transport Security header

Infos

Artifact ID#9410

Submitted byThomas Gerbet (tgerbet)

Last Modified On2018-03-07 09:43

Submitted on2016-08-20 00:19

Rank9687

Details

Summary *

Tuleap Realtime server should enable HTTP Strict Transport Security header

Original Submission

The Tuleap Realtime server can already be used through HTTPS, we should enforce that by enabling HSTS. This will help protecting the communication between the server and the clients against downgrade attack.

Specification: https://tools.ietf.org/html/rfc6797
OWASP description and explanation: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toEmpty

StatusClosed

Close date2018-03-07

Attachments

AttachmentsEmpty

References

Cross references

Show items referenced by request #9410

Referenced by request #9410

Other

gerrit #6368

Follow-ups

Thomas Gerbet (tgerbet)

2018-03-07 09:43

Declining it for now.
There is some technical limitations with the library we use and setting the HSTS header can have subsequent impacts if the domain is reused for something else so it should be an option.

Status changed from Under review to Closed
Close date set to 2018-03-07

Thomas Gerbet (tgerbet)

2016-08-21 21:45

A patch is under review: gerrit #6368.

Status changed from Under implementation to Under review

Public

Referenced by request #9410

Other

Follow-ups